Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Querying groups does not return all groups #8356

Closed
lichao127 opened this issue Jun 21, 2024 · 1 comment · Fixed by #8387
Closed

Querying groups does not return all groups #8356

lichao127 opened this issue Jun 21, 2024 · 1 comment · Fixed by #8387
Labels
bug Linux virtual tables

Comments

@lichao127
Copy link
Contributor

lichao127 commented Jun 21, 2024
edited
Loading

Bug report

When querying groups defined in /etc/group, osquery ignores the group if the line in /etc/group exceeds a certain length, and it ignores any groups below that line too.

What operating system and version are you using?

 version = 20.04.6 LTS (Focal Fossa)
platform = ubuntu

What version of osquery are you using?

version = 5.12.2

What steps did you take to reproduce the issue?

  • add 3 empty groups
sudo groupadd foogroup1
sudo groupadd foogroup2
sudo groupadd foogroup3
  • query groups
$ osqueryi 'select * from groups'
 ------- ------------ ------------------ 
| gid   | gid_signed | groupname        |
 ------- ------------ ------------------ 
| 0     | 0          | root             |
| 1     | 1          | daemon           |
| 2     | 2          | bin              |
| 3     | 3          | sys              |
| 1001  | 1001       | foogroup1        |
| 1002  | 1002       | foogroup2        |
| 1003  | 1003       | foogroup3        |
 ------- ------------ ------------------
  • modify /etc/group and add 71 users to foogroup1
root:x:0:
daemon:x:1:
bin:x:2:
sys:x:3:
foogroup1:x:1001:abcde,abcde,abcde,abcde,abcde,abcde,abcde,abcde,abcde,abcde,abcde,abcde,abcde,abcde,abcde,abcde,abcde,abcde,abcde,abcde,abcde,abcde,abcde,abcde,abcde,abcde,abcde,abcde,abcde,abcde,abcde,abcde,abcde,abcde,abcde,abcde,abcde,abcde,abcde,abcde,abcde,abcde,abcde,abcde,abcde,abcde,abcde,abcde,abcde,abcde,abcde,abcde,abcde,abcde,abcde,abcde,abcde,abcde,abcde,abcde,abcde,abcde,abcde,abcde,abcde,abcde,abcde,abcde,abcde,abcde
foogroup2:x:1002:
foogroup3:x:1003:

What did you expect to see?

$ osqueryi 'select * from groups' should return all groups

What did you see instead?

$ osqueryi 'select * from groups'
 ------- ------------ ------------------ 
| gid   | gid_signed | groupname        |
 ------- ------------ ------------------ 
| 0     | 0          | root             |
| 1     | 1          | daemon           |
| 2     | 2          | bin              |
| 3     | 3          | sys              |
 ------- ------------ ------------------

By removing the 71st user, the group query worked (returned all groups in /etc/group).
@Smjert
Copy link
Member

Smjert commented Jun 25, 2024
edited
Loading

Hello @lichao127, thanks for catching this!

This is likely due to this:

osquery/osquery/tables/system/linux/groups.cpp

Lines 34 to 37 in 989f376

size_t bufsize = sysconf(_SC_GETGR_R_SIZE_MAX);
if (bufsize > 16384) { /* Value was indeterminate */
bufsize = 16384; /* Should be more than enough */
}

And especially the fact that _SC_GETGR_R_SIZE_MAX it's a bit of a misnomer, and it's only the initial suggested buffer size.
For instance on my ArchLinux machine is 1024 bytes. I think we should not use that and just allocate the buffer at the maximum size we are comfortable to allocate.

@lichao127 lichao127 mentioned this issue Jul 26, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Linux virtual tables
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Fix linux groups table to handle larger group sets by increasing buffer size lichao127/osquery
2 participants
@Smjert @lichao127